Richard Bejtlich's blog on digital security, strategic thought, and military history.

Tuesday, March 15, 2005

Banks Also Fighting the Last War

Security guru Bruce Schneier wrote an insightful essay titled The Failure of Two-Factor Authentication. He essentially argues that the millions of dollars banks and others are spending on two-factor authentication doesn't address modern threats. When phishers convince victims to enter credentials that the phisher passes to a real e-commerce site, it doesn't matter if the credentials are a password or a RSA token code and PIN. Also, forget about phishing; just install a silent Trojan that performs fraudulent commercial actions during an authenticated, legitimate session. Something like xss-proxy might do the trick.

This reminded me of my blog entry As Always, .gov and .mil Fight the Last War. I guess it takes too long to implement and fund initiatives in these huge organizations. It's like changing the course of an oil tanker. I'm sure the security staff recommended two-factor authentication five years ago and has only now received funding. Unfortunately, that strategy applied to older threats and cannot address the current problem. Two-factor authentication would probably have helped Paris Hilton remain in control of her T-Mobile account, though!